Bugzilla is not a support forum. If you need help, please post to the user's mailing list.
Hint: you can set the "cors.allowed.methods" init-param for the CorsFilter and allow whatever HTTP methods you want. By default, the filter supports GET,POST,HEAD,OPTIONS but you can add whatever you want to that list.
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

This isn't a help request; it's a bug report.
Irrespective of allowed methods, the preflight filter evaluates the following:
"if (method != null && HTTP_METHODS.contains(method)) {" as well as "else if (COMPLEX_HTTP_METHODS.contains(method)) {"
Neither HTTP_METHODS nor COMPLEX_HTTP_METHODS contain "PATCH" hence, the original definition of "CORSRequestType requestType = CORSRequestType.INVALID_CORS;" is used.
Adding "PATCH" to both HTTP_METHODS and COMPLEX_HTTP_METHODS just purely enables the use of the allowed methods filter param.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.